Mirai-like Botnet Targets Zyxel NAS Devices in Europe for DDoS Attacks


Zyxel NAS devices are under attack! Mirai-like botnet exploits a recent vulnerability (CVE-2024-29973). Patch Now to Prevent Takeover! Learn how to secure your NAS from potential hijacking and DDoS attacks.

A new botnet, eerily similar to the notorious Mirai botnet, has been discovered targeting two “discontinued” Zyxel Network Attached Storage (NAS) devices across Europe.

Outpost24 Vulnerability Research Department reported three critical vulnerabilities in Taiwanese networking device manufacturer Zyxel’s NAS-running endpoints in March 2024. 

Now Censys researchers report that a Mirai-like botnet is targeting these vulnerable endpoints, potentially allowing operators to gain root privileges to execute malicious code, steal sensitive data and install malware.

These ‘critical’ vulnerabilities are tracked as CVE-2024-29973 (Python Code Injection Vulnerability), CVE-2024-29972 (NsaRescueAngel Backdoor Account), and CVE-2024-29974 (Persistent Remote Code Execution Vulnerability), all having a CVSS score of 9.8. 

These specifically affect outdated Zyxel NAS models NAS326 (versions before V5.21(AAZF.16)C0) and NAS542 (versions before V5.21(ABAG.13)C0). These models have reached their end-of-life, but the Taiwanese company decided to patch them up due to extended warranty for some organizations. 

Security threats monitor Shadowserver Foundation reports that threat actors scan CVE-2024-29973 to assemble endpoints into a botnet. IBM X-Force discovered this remote code injection flaw last year, following Zyxel’s patching of CVE-2023-27992.  

CVE-2024-29972 and CVE-2024-29973 are command injection bugs exploited via crafted HTTP POST requests without authentication, while CVE-2024-29974 allows attackers to execute arbitrary code via crafted configuration files. A proof-of-concept is available here.

Once compromised, these devices become part of a botnet, potentially used to launch DDoS attacks against critical infrastructure or businesses. Europe is particularly vulnerable, with 1,194 Zyxel devices exposed overall, including 197 hosts in Italy, 166 in Russia, 149 in Hungary, and 144 in Germany. 

Screenshot: Censys

Outpost24 security researcher Timothy Hjort explained that a security defect occurred while patching CVE-2023-27992, where a new endpoint was added to patch the existing one, implementing “the same mistakes as its predecessors.”

For your information, the Mirai botnet is a large network of hijacked devices infected with malware that allows them to be remotely controlled by attackers. 

Cybercriminals frequently target NAS devices from Zyxel, D-Link, and QNAP due to their importance for organizations and frequent misconfiguration. In April, a high-severity security vulnerability, disclosed by netsecfish, was found affecting thousands of D-Link NAS devices, allowing malicious code execution, data theft, and DoS attacks.

To stay secure, identify your Zyxel NAS model and version, download and install the latest security patch if your device is vulnerable, and consider disabling remote access. Consult Zyxel’s website for more information.

  1. Mirai botnet exploiting Azure OMIGOD vulnerabilities
  2. Dark.IoT & Custom Botnets Exploit Zyxel Flaw in DDoS Attacks
  3. Mirai Malware Hits Zyxel Devices After Command Injection Bug
  4. Mirai botnet resurfaces with MooBot variant, hits D-Link devices
  5. Tiny Mantis Botnet Launches More Powerful DDoS Attacks Than Mirai





Source link